Professional Documents
Culture Documents
David Morgan
Ethernet Frame
DEST MAC
SOURCE MAC
ET
There are other ethernet frame formats but they are the minority
MAC Addresses
MAC address (also known as hardware address or physical
address) is a 6 byte address assigned by the IEEE Standards
Association and is unique for every Ethernet device ever
manufactured.
The first three bytes are the OUI (Organizationally Unique
Identifier) the second three bytes is a unique identifier assigned by
the vendor
OUI
Card Specific ID
MAC Address
MAC Address of Ethernet NIC
3
2:3
1: 2
0:1
: 55
:44
:1
2:
1: 2
33:
55
44:
00
to
World
DEST MAC
00:11:22:33:44:55
ET
PAYLOAD
:1
2:
1: 2
33:
55
44:
CRC
Buffers MAC
copies MAC to buffer, buffer to frame
buffer
00:11:22:33:44:55
00
DEST MAC
00:11:22:33:44:55
ET
PAYLOAD
:1
2:
1: 2
33:
55
44:
CRC
Spoofing MAC
MAC is read-only, but buffer is read-write
buffer
AA:BB:CC:DD:EE:FF
00
:1
2:
1: 2
33:
55
44:
or
ip link set ethX address AA:BB:CC:DD:EE:FF
writes the buffer
Spoofed
DEST MAC
AA:BB:CC:DD:EE:FF
ET
PAYLOAD
CRC
Ethertype
The two bytes after the source MAC in Ethernet II are the
Ethertype
Identifies the type of frame:
0800 is IP
0806 is ARP
8137 is Novell IPX
8100 is VLAN
802.3 Ethernet uses these two bytes as a length field
How does a device know which the field refers to???
Since the maximum legal frame size is 1514 (1518 with VLAN
tags), there's no chance of overlap.
Data (Payload)
Following the 14 bytes of Ethernet header will be between 46
and 1500 bytes of payload. This will give a minimum Ethernet
frame of 64 bytes and a maximum of 1518 bytes
14 bytes header + 46 bytes payload + 4 bytes CRC = 64
14 bytes header + 1500 bytes payload + 4 bytes CRC = 1518
PDU Encapsulation
The payload portion of the ethernet frame usually contains the
protocol information from higher layer PDUs such as IP and
TCP
Ethernet 14 bytes
IP 20 bytes
TCP 20 bytes
Data
Live Capture
destination MAC
SMAC
Basic Concepts
To address a particular network node you
must have the hardware MAC address
If the destination MAC isn't right, it
doesn't get there
All higher level protocols sent over
ethernet are encapsulated in an ethernet
frame
Destination HWddress
Type
Packet Checksum
Ethernet types
type examples and their codes
SrcHW
DestHW
0800
SrcHW
IP packet
DestHW
809B
AppleTalk packet
packet checksum
packet checksum
SrcHW
DestHW
0806
ARP packet
packet checksum
10
Ethernet carrying IP
Source HWAddress
Source IPAddress
Destination HWAddress
0800
Destination IPAddress
Packet Checksum
Ethernets payload may be an IP packet
Destination HWAddress
809B
Packet Checksum
Ethernets payload may be an AppleTalk packet
11
Destination HWAddress
0806
Packet Checksum
Ethernets payload may be an Address Resolution Protocol message
12